Defense & Security

Getting around the Shannon limit of cryptography

A quantum-noise-randomized cipher has the potential to provide secure high-speed data-center service.

1 September 2010, SPIE Newsroom. DOI: 10.1117/2.1201008.003069

Cloud computing, a new network scheme based on data centers, has recently been attracting considerable attention. In such a system, all data is communicated via a high-speed optical network between the customer and data center or between data centers. A disadvantage of this approach is the so-called eavesdropping business. In other words, an eavesdropper could capture data from the transmission line and sell information selected by a protocol analyzer for interface formats such as high-definition TV (HDTV) or music to malicious customers.

Thus far, standard encryption systems to ensure data security have been based purely on mathematical algorithms. However, the challenge of quantitatively guaranteeing security remains. Eavesdroppers can, in principle, retrieve stored ciphertext (encrypted data) from a line, making decryption through discovery of the mathematical algorithm of the stored ciphertext or by high-speed computer a distinct possibility. In particular, an eavesdropper who possesses samples of both a known plaintext and its corresponding ciphertext could launch a ‘known-plaintext attack’ by trying all possible keys for a bit length that is equal to the key length (the bit number of the secret key). Then the eavesdropper could apply the key to a past ciphertext stored in the data center of interest, and ultimately retrieve the desired information.

Development of ciphers at the physical layer suggested a new way of building secure cloud computing systems. In 2000, H. P. Yuen proposed the concept of a random cipher based on quantum noise.1 The representative concrete protocol for this quantum noise-randomized cipher is Y00 or α/η,1 and several implementation schemes have been realized.2–4 The most important feature of this cipher is that the eavesdropper cannot obtain the correct ciphertext from the line, though a legitimate user armed with the secret key can. That is, the ciphertext YB of the legitimate user and the ciphertext YE of the eavesdropper are different because YB≠YE. The ciphertext of the eavesdroppers is also incorrect or noisy owing to real noise in their receivers. Thus, security is guaranteed both by the limited performance of the eavesdropper's receiver and a further problem in deciphering the ciphertext. This approach constitutes a new paradigm in cryptology.

Figure 1. Transceiver for the ASK-Y00 protocol under device-limit-assisted security, which operates at 2.5Gbit/s with 4096 signal levels.

There are two ways of realizing physical ciphers such as Y00. One is a phase-modulation scheme (PSK-Y00), which uses M pairs of two coherent states , j=1, 2, . . . M.2,3 These M pairs are called the basis for transmitting the real information bit. The second approach is amplitude (or intensity) modulation (ASK-Y00).4 In this scheme, the amplitude or intensity is arranged into two blocks: . Each basis consists of a pair from the two blocks.

Randomizing the basis involves a linear feedback shift register (LFSR). The log M bit sequence from the LFSR assigns the basis for sending the information bit, which is then transmitted using the two coherent states that correspond to the basis selected. The legitimate user's receiver can assign the binary decision for deciphering the information bit consisting of the two coherent states using the sequence from the same LFSR as the transmitter. If the power of the received signal of the legitimate user is appropriate, the decision for the binary signals is error-free. The eavesdropper, who does not know the LFSR sequence, must discriminate 2M different signals, and will incur critical errors in the received ciphertext owing to the quantum noise of the coherent state even if it is possible to implement a perfect analog-to-digital converter (ADC).

The attraction of the physical cipher is that it ensures twofold security: first, the ability of the receiver to obtain the ciphertext, and second, a cryptanalysis capability, including computing resource. The Shannon limit to the security of the conventional symmetric key cipher is well known. That is, H(X|Y)≤H(K), where X is the plaintext, Y is the ciphertext, K is the secret key, H(X|Y) is the conditional entropy, and H(K) is the entropy for the secret key. This limit suggests (pessimistically) that information security can only be realized by a one-time pad (a key used only once). However, this limit assumes that the ciphertexts for the legitimate user and the eavesdropper are the same. As mentioned above, the Y00 protocol allows YB≠YE. Accordingly, it can exceed the Shannon limit. The sufficient condition for exceeding the Shannon limit is H(X|YE, K)>H(X|YB,K)=0.1

This means that the legitimate user can decrypt without error, but the eavesdropper cannot decrypt even if possessing the true key (after observing the ciphertext with the receiver). Any scheme that aims to ensure security against a known-plaintext attack must far exceed the Shannon limit. This condition can be satisfied by differentiating ultimate receiver performance between the legitimate user and the eavesdropper, as in the following two situations.

The first is full quantum Y00, which assumes that the eavesdropper has a receiver for discriminating 2M signal levels and can analyze the received data using unlimited computing power. Consequently, the legitimate user must have a ‘quantum optimum receiver’ to far exceed the Shannon limit. Quantum optimum receivers are currently being developed by the physics community.5 The second situation—device-limit-assisted Y00—assumes that the receiver of the eavesdropper is limited by current technology. In this case, the legitimate user can employ a conventional optical receiver for the binary signals to far exceed the Shannon limit. Even if the eavesdropper succeeds in devising a perfect receiver for discriminating 2M signal levels, the system still ensures past data beyond the Shannon limit. It cannot ensure data produced after such an invention. However, the system is superior to any mathematical encryption.

The first case provides unconditional security. The ultimate information rate is given by an equation6 derived from a theorem formulated by one of us and others (Holevo-Sohma-Hirota theorem).

where S is the signal energy and <n> is the external noise. This is known as generalized secret capacity. Putting it into practice will require further fundamental research on achieving quantum optimum receivers for legitimate users. The second case is a reasonable assumption in the real world. For a 2.5Gbit/s signal with 4096 levels, if the resolution of the ADC is 7 bits, performance equal to the first case may be realized even if the legitimate user employs a conventional optical receiver.

Figure 1 shows an ASK-Y00 test bed that works at 2.5Gbit/s with 4096 signal levels implemented by Hitachi Information and Communication Engineering. This encryption system can transmit HDTV without compression (see Figure 2).7 The system is classified as a device-limit-assisted ASK-Y00. That is, the eavesdropper's ciphertext is completely randomized by the quantum noise and imperfect resolution of the ADC. Even if the ultimate receiver with a perfect ADC were developed in the future, such a device would not be effective against ciphertext stored by the current receiver.

In summary, we have shown that a quantum encryption system using the Y00 protocol has the potential to exceed the Shannon limit. In principle, a legitimate user requires a quantum optimum receiver to far exceed the Shannon limit. However, when the eavesdropper's device is limited in a certain way, the same performance can be achieved using a conventional optical receiver. In the near future, we will report detailed implementation of a Y00 transceiver operating at 2.5Gbit/s with 4096 signal levels. We also plan to carry out research toward realizing a full quantum Y00.

Osamu Hirota, Takehisa Iwakoshi, Fumio Futami, Katsuyoshi Harasawa

Tamagawa University

Machida, Japan

Osamu Hirota and Fumio Futami are professor and associate professor of the Research Center for Quantum Information Science, respectively.

Takehisa Iwakoshi and Katsuyoshi Harasawa are visiting researchers at the Research Center for Quantum Information Science. They are also researchers at Hitachi Ltd.